A highly respected (including by me) internal audit leader is
Richard J. Anderson. He retired a few years ago after leading PwC’s internal audit practice, and is now with DePaul University as a Clinical Professor. Dick recently wrote an
interesting piece in the
Journal of Accountancy that listed 10 ways for the audit committee to “facilitate proper oversight and direction of internal audit.”
I will let you read and consider each of these items. For audit committee members, all are worth considering. Internal audit leaders should ensure they have good answers should the audit committee ask about any of these issues.
Let me put my spin on a few.
1. Dick suggests that the audit committee “Evaluate the current and projected scope of internal audit coverage of risk management and governance.” I believe that the audit committee should ask whether internal audit has considered the risk to the organization should there be failures in the management of risk by the company’s leadership, or in defects in any governance processes (which include the setting of objectives and strategies, oversight by the board, performance management, and more).
The audit committee should ask whether internal audit is able to provide an opinion, not only on internal controls, but on the combination of governance, risk management, and internal control processes. If they are not, they should ask why not. It is quite possible that internal audit has determined that these processes are insufficiently mature to merit a traditional assurance audit; instead, they working with management and providing consulting services to help those processes mature. If that is the case, the internal audit leader should have ensured the audit committee understands the current maturity level, the risk that it represents to the organization, and whether management is taking the steps necessary and appropriate to bring them to acceptable levels.
2. Dick’s second point is also important. He asks that the audit committee “Ensure that internal audit’s risk-based plan is flexible and responsive to change.” As he explains “Amid complex and dynamic risks, many internal audit groups update their risk assessments and audit plans more than once a year.”
“More than once a year” is barely touching the surface of the problem! When the business environment is as dynamic and full of rapid change as it is these days, internal audit should ensure it is addressing
the risks that matter today. The audit plan should be dynamic and responsive to the changing internal and external environment.
Personally, I have used a rolling plan where engagements for the next month or possibly two are firm, and after that the plan is subject to change.
3. Dick continues by suggesting that the audit committee “Determine how internal auditors are using technology,” “Assess the strategic vision and plan for internal audit,” and
“Define how internal audit will provide value to the organization.” The order is curious, and I would change it.
Internal audit must understand the assurance needs of the organization. It should develop a vision and plan to develop the capability and then meet those needs. As Dick says, “Providing assurance is a core and expected value driver for any internal audit function.” Additional, value-added consulting services can be added once those core services are being delivered.
Technology is an enabler. So, the services that internal audit will deliver need to be defined before the use of technology is considered. I agree with Dick that technology can make an amazing difference to the quality and efficiency of internal audit services — although I do not agree that they should provide “monitoring and data-mining capabilities to improve business-unit performance.” That is a management responsibility.
4. One point that Dick did not mention, perhaps because it was not highlighted in the underlying IIA 2010
Global Internal Audit Survey, is that internal audit needs to communicate effectively the results of their work to both the audit committee and management. (Dick makes a different point about communications with the audit committee.) Most internal audit reports are excessively long and fail to communicate concisely and clearly what their stakeholders need to know. The audit committee should review the audit reports they and management receive and consider whether they can be trimmed to at most a page with a few pages of attached detail for significant issues only.
5. I will close with perhaps the most important point for audit committees, and one that is not mentioned: does the chief audit executive (CAE) have the respect and standing within the organization to be effective? This requires not only the appropriate reporting relationships (functionally to the audit committee and administratively to a top executive or the audit committee chair), but that the CAE has the executive presence and capability to be effective. Do the CEO and CFO, together with other top executives, demonstrate respect for the CAE’s ability to help the organization succeed?
I welcome your views and comments.